Software Security

CompSci 725 FC 02
Clark Thomborson
Handout 5: Suggestions for Oral Reports and Term Projects

The papers marked (♦) are highly recommended by the instructor.


1)      Techniques for Protecting Software (and Media Objects)

a)      Watermarking

¨      S Craver, N Memon, B-L Yeo, and M Yeung, “Resolving Rightful Ownerships with Invisible Watermarking Techniques: Limitations, Attacks, and Implications,” IEEE Journal on Selected Areas in Communications 16(4), 573-586, May 1998.

¨      S Greenberg, “Easter Egg Insertion, Detection and Deletion in Commercial Software”, 600.505 Independent Research Project, Department of Computer Science, Johns Hopkins University (USA), 29 June 2000.  Available, March 2002.

¨      J Palsberg, S Krishnaswamy, M Kwon, D Ma, Q Shao, and Y Zhang, Experience with software watermarking, In Proceedings of the 16th Annual Computer Security Applications Conference, ACSAC '00, IEEE, 308-316, 2000. Available:, March 2002.

¨      J Stern, G Hachez, F Koeune, and J-J Quisquater, "Robust Object Watermarking: Application to Code." In LNCS 1768, Springer Verlag, 368-378, 2000.

¨      R Venkatesan, V Vazirani, S Sinha, “A Graph Theoretic Approach to Software Watermarking”.  In .S. Moskowitz (ed.), Proc. 4th International Workshop on Information Hiding (IHW 2001), LNCS 2137, Springer-Verlag, 157-168, 2001.

·        D Grover (ed.), “Program Identification”, Chapter 6 of The Protection of Computer Software --- Its Technology and Applications, 2nd edition, Cambridge University Press, 1992 (out of print).

·        E Praun, H Hoppe, A Finkelstein, “Robust Mesh Watermarking”, Proc SIGGRAPH 1999, 69-76, 1999.

·        J Rosen and B Javidi, “Hidden Images in Halftone Pictures”, Applied Optics 40(20), 3346-3353, 10 July 2001.

b)      Obfuscation

¨      B Barak, O Goldreich, R Impagliazzo, S Rudich, A Sahai, S Vadhan, and K Yang, “On the (Im)possibility of Obfuscating Programs (Extended Abstract)”.  In J Kilian (ed.), Advances in Cryptology – Crypto 2001, LNCS 2139, Springer-Verlag, 2001.

¨      E Valdez, M Yung, "Software DisEngineering: Program Hiding Architecture and Experiments." In Proc IH’99, LNCS 1768, Springer Verlag, 379-394, 2000. A technical report on a related subject is available at (but page 5 won't print as at 1 Aug 00).

¨      C Wang, J Hill, J Knight, J Davidson, “Software Tamper Resistance: Obstructing Static Analysis of Programs”, Technical eport CS-2000-12, Department of Computer Science, U Virginia (USA).  Available:, May 2001.

c)      Tamperproofing

¨      H Chang and M Atallah, “Protecting Software Code by Guards”.  In Workshop on Security and Privacy in Digital Rights Management 2001.  Available:, February 2002.

¨      B Horne, L Matheson, C Sheehan, and R Tarjan, “Dynamic Self-Checking Techniques for Improved Tamper Resistance”.  In Workshop on Security and Privacy in Digital Rights Management 2001.  Available:, February 2002.

d)      Copy Detection

¨      N Shivakumar and H Garcia-Molina, “Building a Scalable and Accurate Copy Detection Mechanism”.  In Proceedings of 1st ACM Conference on Digital Libraries (DL'96), Bethesda, Maryland, 160-168, March 1996.

e)      Language-Based Security

¨      D Wallach, E Felten, and A Appel, “SAFKASI: A Security Mechanism for Language-based Systems”, ACM Transactions on Software Engineering and Methodology 9(4), October 2000, pp. 341-378.

·        D Volpano, G Smith, “Language Issues in Mobile Program Security”, In Mobile Agents and Security, Springer Verlag, LNCS 1419, pp. 25-43, 1998.

f)       Legal and Ethical Controls

·        R Vaughan, “Defining Terms in the Intellectual Property Protection Debate: Are the North and South Arguing Past Each Other When We Say “Property”?  A Lockean, Confucian, and Islamic Comparison”, ILSA Journal of International and Comparative Law 2(2), Winter 1996.  Available:, March 2002.

g)      Attacks on Hardware and Software

¨      R Anderson and M Kuhn, “Low Cost Attacks on Tamper Resistant Devices”.  In M Lomas et al. (ed.), Proc. of 5th International Workshop on Security Protocols, Paris, LNCS 1361, Springer-Verlag, 125-136, April 1997.

¨      M Bond and R Anderson, “API-Level Attacks on Embedded Systems”, IEEE Computer, 67-75, October 2001.

¨      M Kuhn and R Anderson, "Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations", in David Aucsmith (ed.) Information Hiding 1998, LNCS 1525, Springer-Verlag, 124-142, 1998.

¨      M Kuhn, “Optical Time-Domain Eavesdropping Risks of CRT Displays”.  To appear, Proc of IEEE Symposium on Security and Privacy, May 2002.  Available:, March 2002.

¨      B Miller, M Christodorescu, R Iverson, T Kosar, A Mirgorodskii, F Popovici, “Playing Inside the Black Box: Using Dynamic Instrumentation to Create Security Holes”, Parallel Processing Letters (to appear, 2001).  Also appears in the Second Los Alamos Computer Science Institute Symposium, Sante Fe, NM (October 2001).  Available:, March 2002.

·        P Gutmann, “Secure deletion of data from magnetic and solid-state memory,” Proc 6th USENIX Security Symposium, July 1996.  Available:, March 2001.

2)      Secure Systems Design and Analysis

a)      Digital Rights Management

¨      T Budd, “Protecting and Managing Electronic Content with a Digital Battery”, IEEE Computer, 2-8, August 2001.

¨      J Feigenbaum, M Freedman, T Sander, A Shostack, “Privacy Engineering for Digital Rights Management Systems”.  In Workshop on Security and Privacy in Digital Rights Management 2001.  Available:, February 2002.

¨      M Jakobsson, M Reiter, “Discouraging Software Piracy Using Software Aging”.  In Workshop on Security and Privacy in Digital Rights Management 2001.  Available:, February 2002.

·        S Bechtold, “From Copyright to Information Law – Implications of Digital Rights Management”.  In Workshop on Security and Privacy in Digital Rights Management 2001.  Available:, February 2002.

·        R Merkle, "Protected Shareware: A Solution to the Software Distribution Problem." Online document in PDF dated "October 19, 1998" and marked "Copyright 1993 by Xerox Corporation. All Rights Reserved. This draft is being distributed for the purpose of feedback and commentary. As a courtesy to the author, please limit its distribution."

b)      Mobile Agents

¨      R Gray, D Kotz, G Cybenko, D Rus, “D’Agents: Security in a multiple-language, mobile-language system,” in Mobile Agents and Security, Lecture Notes in Computer Science 1419, ed. Giovanni Vigna, 154-187, Springer-Verlag, 1998.

¨      T Sander and Chr. Tschudin, “Towards Mobile Cryptography”.  In Proceedings of the 1998 IEEE Symposium on Security and Privacy, 215–224, May 1998.

·        U Wilhelm, “A pessimistic approach to trust in mobile agent platforms,” IEEE Internet Computing, 40-48, Sept-Oct 2000.

c)      Privacy, Authentication, and Reliable Service in Messaging Systems

¨      O Berthold, M Kohntopp, “Identity Management Based on P3P,” in H. Frederrath (Ed.), Designing Privacy Enhancing Technologies (Proceedings of the International Workshop on Design Issues in Anonymity and Unobservability), LNCS 2009, pp. 141-160, Springer-Verlag, 2001.

¨      D Davis, “Compliance Defects in Public-Key Cryptography”.  In Proc 6th USENIX Security Symposium, 1996.  Available:, March 2002.

¨      M Jakobsson and S Wetzel, “Security Weaknesses in Bluetooth.”  In D Naccache (ed.), Progress in Cryptology – CT-RSA 2001 (LNCS 2020), 176-191, 2001.

¨      M Sirbu, J Chuang, “Distributed authentication in Kerberos using public key cryptography,” Proc Network and Dist Sys Security 1997, IEEE, 134-141, 1997.

·        T Parks, D Kassay, C Weinstein, “Vulnerabilities of Reliable Multicast Protocols.”  In Proc. 1998 IEEE Military Communications Conference (MILCOM’98), Vol. 3, 934-938, October 1998.

d)      Hardware-Based Security

·        P Bieber, J Cazin, P Girard, J-L Lanet, V Wiels, G Zanon, “Checking Secure Interactions of Smart Card Applets”.  In Proc ESORICS 2000, LNCS 1895, Springer-Verlag, 2000.  Extended version available, March 2002.

·        Trusted Computer Platform Alliance, TCPA Trusted Subsystem Specification V1.1a, 1 December 2001.  Available:, March 2002.

e)      System Vulnerabilities

¨      S Christey and C Wysopal, “Responsible Vulnerability Disclosure Process.”  Internet Engineering Task Force, Internet Draft (valid for six months), February 2002.  Available:, February 2002.

¨      F Cohen, “Computer Viruses – Theory and Experiments.”  In Proc. DOD/NBS 7th Conf on Computer Security, 1984.  Available:, 5 September 2001.

¨      C Landwehr, A Bull, J McDermott, W Choi, “A Taxonomy of Computer Program Security Flaws”, ACM Computing Surveys 26(3), 211-254, September 1994.

3)      Project Ideas

a)      Experiment with, or add functionality to, the Javascript obfuscation system developed as a class project by Erik Walle of the University of Waterloo.  Code available at, and report available at, March 2002.  You might also take a look at the obfuscated JavaScript spam email I received in January 2002: available as ObfJavascriptSpam.htm in the CompSci725 Lectures directory (hyperlink is not provided here, to minimize the risk of executing it by mistake – be careful).

b)      Perform a security audit on some software system you have developed.  Your methodology might be based on the checklist approach of G McGraw and E Felten, “Twelve Rules for Developing More Secure Java Code”, JavaWorld, 01 December 1998.  Available:, March 2002.  See also John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2001.

c)      Experiment with the X.509 authentication certificates for email, perhaps along the lines of my Assignment 2 for CompSci 725 last year.  See, available March 2002.  A simple introduction to X.509 certificates may be found in P Tremblatt, “X.509 Certificates”, Dr Dobbs Journal, July 1999.  Available:, March 2002.

d)      Try to find the watermark in, and in other Linux Redhat binaries written by “Brad C”, a Master’s student studying software watermarking overseas.  Write to for more information.

e)      Use forensic examination software, such as ComputerCop Professional P3 (I have a CD in my office) to make inferences about what an anonymous person was doing on their PC on some specific dates, (say) one month and six months in the past.

f)       More project ideas may be found on Christian Collberg’s CS 620 website, in

g)      Local software developer Ripple Effects Ltd are launching their new anti-virus software in the US shortly, to plug a major gap in the virus security area. Work with Dave Waterson (, 309-2491) and your instructor to define a project that involves testing of the pre-release version of this software.

h)      Join the PhP audit project ( or find some other way to participate in, or report on, a security audit of open-source software.  See “Building Trust in Open-Source Software”, CNET, 20 March 2002 (available, 21 March 2002).


Last modified: 20 March 2002 by cdt.